ppkarwasz opened a new pull request, #10: URL: https://github.com/apache/logging-site/pull/10
In this PR, we expand our threat model to cover: - A better definition of the users we trust and those we don't. - A list of resources that untrusted users should not control. - A clear list of threats (with an example CWE) and whether Apache Logging Services considers that threat a vulnerability. You can appeal to the pope if you want, `PatternLayout` will never be anything else than a glorified `printf`. I mark this PR as draft, since it is still rough around the edges, somehow Log4j-specific (lacks references to Log4cxx/Log4net documentation) and might miss some cases that "reporters" will use to spam our YesWeHack program. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
